include: - template: Security/SAST.gitlab-ci.yml GitLab automatically runs SAST scanners for your language (Python, Java, Go, etc.) and shows vulnerabilities in merge requests. include: - template: Security/Dependency-Scanning.gitlab-ci.yml Secret Detection Prevents accidental commits of passwords/keys:
build: stage: build-image image: docker:20.10.16 services: - docker:20.10.16-dind script: - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - docker build -t $IMAGE_TAG . - docker push $IMAGE_TAG only: - main automating devops with gitlab ci/cd pipelines read online
variables: DOCKER_REGISTRY: registry.gitlab.com APP_NAME: myapp job: script: - docker build -t $DOCKER_REGISTRY/$APP_NAME . include: - template: Security/SAST
workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS when: never - if: $CI_COMMIT_BRANCH Now each merge request runs a full pipeline, and GitLab blocks merging if tests fail. Modern applications often consist of multiple microservices. GitLab supports cross-project automation. Triggering a downstream pipeline In project A (frontend): Triggering a downstream pipeline In project A (frontend):
deploy_staging: stage: deploy script: kubectl apply -f k8s/staging/ environment: name: staging url: https://staging.myapp.com deploy_prod: stage: deploy script: kubectl apply -f k8s/prod/ environment: name: production url: https://myapp.com rules: - if: $CI_COMMIT_TAG
test: script: npm test artifacts: reports: junit: junit.xml paths: - coverage/ expire_in: 1 week GitLab can even display test reports directly in merge requests! One of the most powerful automation patterns is building and pushing Docker images. Example: Build and Push to GitLab Container Registry stages: - build-image - scan - deploy variables: IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
container_scan: stage: scan image: docker:latest script: - docker run --rm $IMAGE_TAG trivy image $IMAGE_TAG